What you need to know
- Microsoft has revealed serious vulnerabilities in pre-installed Android apps with millions of downloads.
- The security flaws could have allowed attackers to inject backdoor access or gain control of millions of devices.
- Google and other interested parties have already addressed the vulnerabilities.
A lot of serious security flaws in a mobile framework used for pre-installed Android apps from various mobile providers could have put millions of devices at risk. Microsoft has revealed these vulnerabilities (opens in new tab)which has since been patched.
The affected mobile framework was developed by mce Systems, an Israel-based lifecycle management provider of omnichannel devices. Microsoft said it initially discovered the security flaws in September 2021 and informed mce Systems as well as affected mobile providers about their findings.
Microsoft identified the vulnerabilities as CVE-2021-42598, CVE-2021-42599, CVE-2021-42600, and CVE-2021-42601 with a score of 7.0-8.9 (high severity).
The vulnerabilities affected apps with millions of downloads, potentially exposing users to remote or local attacks. According to Microsoft’s 365 Defender Research Team, the bugs could have given attackers backdoor access or allowed them to gain “significant control” over vulnerable devices.
“Our analysis further showed that apps were embedded in the devices’ system image, suggesting that they were standard applications installed by phone providers,” Microsoft explained. “All apps are available in the Google Play Store where they undergo Google Play Protect’s automatic security checks, but these controls have not previously scanned for these types of issues.”
The security flaws have since been fixed after Microsoft worked with mce Systems and Google. Android Central has contacted Google for comments and will update this article when we receive a response.
Fortunately, there is currently no evidence to suggest that the vulnerabilities have been exploited in the wild. However, Microsoft warns that the vulnerable framework may still exist in apps from other telecommunications companies.
“Several other mobile providers were found using the vulnerable framework with their respective apps, suggesting that there may be additional undetected providers that may be affected,” said the Redmond-based software giant.
Microsoft added that Google Play Protect (opens in new tab) now scans for these types of vulnerabilities.
That said, it highlights the risks associated with pre-installed apps that come with many of today’s best Android phones (opens in new tab) and are impossible to remove without root access.
Google Pixel 6 Pro
Google Pixel 6 Pro is an excellent Android device with its sleek design and impressive performance. It also has a versatile camera setup with upgraded hardware that ensures you always get the best pictures.